Many computer systems are configured to prohibit access to data unless the user has a sufficient authorization. Such authorizations for one or more users may be stored in the computer system and may be consulted upon a user seeking access to specific data. Depending on the kind of data stored in the system and on other factors, it may be desirable to issue more than one authorization for a user.
An example of an existing system that manages user authorizations is a computer system available from SAP AG in Walldorf (Baden), Germany, such as a Business Information (BI) Warehouse system or a Customer Relationship Management (CRM) system. Such systems use “authorization objects” that can be configured by filling in up to ten authorization fields per user. The authorization objects are evaluated serially and if a first authorization object does not permit access to the sought data, the system does not evaluate the remaining authorization object(s). Moreover, a condition for granting access is that the sought data falls within all evaluated authorization objects, that is, within the intersection of the authorization objects.